Tag Archives : Newsletter 70

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, member of AMRAE

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space, describes the development of a response methodology to create resilience against cyber risks.

There are three main obstacles to a good understanding of cyber risks in our organisations, which I believe are common to most businesses:

1/ It has long been perceived as an IT issue only, which neglects addressing the related business impact. This is especially critical with the increase in connectivity of industrial systems.

2/ Confidentiality is a major element preventing a clear and open analysis of this risk as information management is a critical security issue; even creating a list of potential vulnerabilities is a huge concern.

3/ Finally there is a fear that disclosing a cyberattack suffered or even admitting a potential vulnerability could endanger the reputation of the company.

To get over these obstacles, the risk manager has to be able to demonstrate to the CEO or the executive committee the possible financial impact of a massive cyber attack in terms of business interruption and loss of business opportunity. For this, the risk manager needs data to show the organisation’s current state of cyber resilience, past and future cyber protection investments, and mitigation of the risk.

We must also be able to explain the legal and regulatory implications of dealing with data breaches, especially under US laws, and the protection of critical infrastructures under French and EU laws.
The risk manager needs a cyber risk map of the information system of the organisation showing the most sensitive assets to be protected. Finally he or she will use this information to engage with the insurance market.

We found that no convincing method had already been developed for doing this; we had to elaborate one. SPICE stands for scenario planning to identify cyber exposure, and it is an initiative sponsored by the CFO of Airbus Defense and Space, initiated by me as the Head of Insurance Risk management. It is a pilot programme for a business impact analysis to identify cyber-related disaster scenarios that could affect our operational capability and it is truly innovative.

No convincing method available
SPICE needs high level technical experts who know the cyber threat environment of the organisation. To start, we gathered representatives of all the functions as well as from IT and information management security to:
• Educate the operational managers to the new cyber threats;
• Discuss the security issues with great care;
• Openly consider some potential cyber attack scenarios – and not assume it could not happen to us;
• Support ‘impacted’ functions and information management security on quantification.

Attacks: We focussed on identifying potentially catastrophic scenarios:
• Who might attack us and what would their motives be?
• What functions and assets would be impacted?
• How would we recover and how long would it take?

Cost: We calculated the business and operational impact with inputs from operations. We split the scenarios into four phases from security breach to recovery, including investment in remediation, to estimate the possible costs at each phase. What did we learn from this?
• The numbers relate to our financial exposure – but there is no final number.
• Management has to play a part.
• The objective is to reach a consensus that is acceptable to everyone and valid for our analysis.

Probability: Local information management security then evaluated the technical probability of the success of an occurrence at each step of the process. For this we used the Cyber Kill Chain developed by Lockhead Martin, which plots the stages of an attack from preparation, instruction and active breach against the time involved.

Lessons: This same method applied by experts at two different sites produced two different probability numbers. We learned that we need a homogenous approach, but that it also has to be associated with different types of attackers, from malicious individuals, to organised criminals or foreign government agencies. We have to ask – why would they undertake the specific attack which is the subject of our scenario?

Mitigation: SPICE helps us develop our mitigation security plan and link it to business needs. We measured the costs of implementing further IT security measures to reduce the probability of occurrence and as a consequence the resulting exposure. After making this IT investment, it makes economic sense to evaluate how to mitigate the residual exposure through insurance. We have the basis for a dialogue with the insurance market to complement this mitigation strategy with an insurance programme tailored to our needs.

Conclusions:

• We believe this methodology is key in obtaining valuable insight into our cyber risk exposures.
• This process needs to be performed regularly and as exhaustively as possible.
• We have to be able to roll out the process across the whole company, its products and its locations.
• We must be able to work with operations.
• SPICE provides elements for the risk manager to enlarge the current scope of ERM to encompass cyber risks.

When it comes to cyber risks, many challenges remain in front of us. There is simply no one response. At the same time, there is no alternative to the development of the digital economy, and industry has to adapt thanks to the new possibilities offered by technology to improve efficiency, reliability and profitability. This opportunity, however, generates in itself new risks which have to be addressed and for which a dedicated risk management policy has to be defined. We need a collective effort coordinated between industry, the insurance market and the public authorities. It is time to move from awareness to action.

Philippe Cotelle, Head of Insurance Risk Management at Airbus Defence and Space is a member of AMRAE and has been supporting FERMA in the development of its response to the European Commission’s consultation on cyber risk. He is also working with François Beaume, President of AMRAE’s commission on information systems.

The following speech was delivered at a conference on cyber risks at the European Parliament on 23 February 2016.

Jo Willaert, FERMA President

“Honorable Members of the European Parliament, representatives of the European Commission, ladies and gentlemen,

As President of the European Federation of risk management associations, and myself as Risk Manager for Agfa-Gevaert for 15 years, it is my privilege today to be a guest in the European Parliament, the heart of the European Union.

I want to thank Mark Weil, CEO Marsh UK and Ireland, for inviting me to speak at this conference.

Earlier this month, a Los Angeles Hospital, the Hollywood Presbyterian Medical Center was a victim of a cyberattack called a ransomware. On 5 February, hackers took over the medical records and shut down the hospital’s computer servers for more than10 days.

Even patients had to move to other hospitals because key software was locked.

I understood that last Wednesday, the hospital announced they finally paid the hackers to regain control of its computers.

Hospitals and all businesses are going to have to invest in cybersecurity and it’s not cheap.

You might know that the risk manager function in the financial sector is already well defined. In the “real economy”, however, it isn’t the case. Companies are free to decide whether or not they want to hire a risk manager.

Today, I would like to draw your attention on three key elements for FERMA when we speak about cyber security:

First, I’ll express our concern regarding the new systemic nature of cyber risks. The possibility that cyber-attacks at a company level could trigger severe instability or collapse an entire industry or economy.

Second, I will outline how businesses, governments and insurers should collaborate to protect our critical infrastructures. Increasing the resilience of our industries should be our common objective

Third, I’ll try to convince you that we need a new corporate governance to respond to cyber threats in which the risk manager has a central role.

1. Cyber risk is today a risk that every company is faced with.

Let’s be clear; the inter-connectivity between machines in the supply chain and cloud computing is a source of systemic risk.

This is similar to what we faced in 2008 when the banking sector almost collapsed because of the size of institutions that were “too big to fail”.

The failure (provoked or not) of one major digital provider could today put a stop to thousands of organizations or at least disturb seriously their activities.

For example, the healthcare and the financial sectors deal with very sensitive data. Data of thousands of organisations are more and more stored outside the company in the cloud. They are hosted by a handful of digital providers like Amazon, Microsoft, IBM and Google. This is already a reason to worry about a systemic risk.

It’s a challenge for companies to assess these risks because it raises issues of confidentiality and reputation. This is preventing a clear and open analysis of cyber risks.

Disclosing a cyber-attack or admitting a potential vulnerability endangers the reputation of a company towards its stakeholders.

As a response, the EU legislator has taken action with the adoption of the NIS Directive for critical infrastructures and the Data Protection Regulation for personal data.

These laws will require organizations to prepare themselves for the notification of incidents and data breaches to their local supervisors.

FERMA welcomes this legislation. But it must be recognized that the increased use of personal data will generate more claims for the emerging cyber insurance industry.

We can already anticipate that the European laws for cybersecurity will:

increase the demand for cyber security solutions.

will become obviously a matter of compliance and a condition for doing business

and will finally have an impact on claims. Although it is still unclear, probably too soon, to see how insurers will price and deal with these threats.

2. Considering what has been said, a major incident, that would disrupt European industries, would require collaboration between governments, companies and insurers to protect critical infrastructures and increase resilience.

In case of catastrophic cyber losses, it will not be possible for the private sector to indemnify alone the liabilities that could arise from a critical infrastructure.

In our response to the Commission consultation on cyber security, FERMA has listed catastrophic cyber losses as one of the 3 main cyber security challenges by 2020.

FERMA recommends setting up a structured dialogue between the private and public sector.

We need comprehensive solutions inspired by certain types of insurance pools or state guarantees, as is already the case to cover terrorism or nuclear risks.

3. The management of cyber risk is too often seen as being the responsibility of the IT-department only. However, the exposure to cyber threats has a potential business impact on the company as a whole.

Cyber risk is not only an IT risk; it’s an enterprise risk.

In that respect, we advocate a central role for the risk management function as regards cyber security in the company.

The risk manager should be the risk expert to support board and the CEO. He or she should work hand in hand with the operational units (IT, Legal, Internal audit, others…) without being an IT specialist.

An integrated cyber security and breach response team is crucial to protecting the organization as a whole.

When thinking about cyber protection, management will logically refer to the IT department in the first place, and if occasion arises Legal will be involved as well. In this case, it will most of the time lead to reinforcement of back-ups and emergency procedures.

However in the companies, where risk management is part of the decision-making process, it will naturally lead to global solutions. Stand-alone insurance coverage for cyber security will be one of them.

This has been illustrated by FERMA’s last European Risk & Insurance Report. It showed that 72% of the risk managers are not enough involved in IT related issues. As a result, there is no adequate stand-alone cyber coverage for their company. Later this year, with the next edition, we will see whether this figure has reduced or not.

It is also important to stress that insurers are, in most cases, not in a position to develop adapted insurance solutions. They are usually only in contact with the risk manager, directly or through the intermediary of the broker. The risk manager does not always have the tools to overview the consequences of cyber risk on the whole company. Mostly, he cannot but rely on specialists separately, e. g. IT and Legal. Suppose that:

The ever-increasing and constantly evolving landscape of breach notification laws leads the chief legal officer of company ABZW to ask his colleague risk manager to seek insurance protection.

The systemic nature of the cyber risks of the company, however, has not been tackled. Possible instability, crisis management, communication, reputation, restoration… these are all cyber issues which need comprehensive solutions.

The trigger for a purchase decision is finally the alignment of views between IT, Legal and the Board about the necessity of a cyber cover.

I’m happy to confirm that a lot of initiatives are coming from the insurance market in order to design products which are an answer to the concerns of the industry.

In my personal opinion, cyber risk protection cannot be put in one of the traditional insurance boxes, such as property, professional liability, crime…but should be a specific, stand-alone product, tailored- to the needs of the industry.

As a conclusion today, I would like you to remind these two things:

The cyber threats are now of a systemic nature:

We need to collectively develop innovative financial solutions to protect not only critical infrastructure but our economy as a whole from a digital 9/11

The cyber security laws and all related initiatives should not forget to include a risk governance part:

Cyber threats must be understood from the top to the operational level. Here I will again insist on the necessity to give to the risk manager a central place in this cyber risk governance.

Webinar PART I Data Protection – how to adapt the risk governance to the changing regulatory landscape for personal data (Data Protection Officer, breach notifications, sanctions, hosting, transfer and treatment of personal data)?

Webinar PART II Cyber security – managing the consequences. How to identify, assess and mitigate the cyber risks? What should be the level of awareness of the Board? The Insurance part: the US example led by the existing regulations (mandatory breach and IT incident notification…)

The good management of data is now an essential part of the business model of many organisations. But with new dependencies linked to the increased use of external hosting, collection, treatment and transfer of data, it is also posing heavy challenges legal, IT and strategic issues.

If it is no longer a pure IT or legal issues; who is required to take the strategic decisions to allocate the right resources (staff and budget)? What role for the Board?

Should data protection be higher on the Board agenda?

How the Board members should get the right information on the specific data risks of their organisation to be in a deciding position?

Who will be the interface between the practical concerns and the need for strategic decisions?
Is there a role for the risk manager as the instrument to collect, consolidate and analyse the relevant information related to the data protection and the cybersecurity of the organization?

During the last annual conference of the French association AMRAE in Lille last February, the President of AMRAE Brigitte Bouquot and FERMA President Jo Willaert shared their views on the need for a sense of urgency in managing risks which are today systemic and inter-connected.

Brigitte Bouquot, AMRAE President and Director of Insurance and Risk Management at Thales

FERMA: In terms of AMRAE’s relationship with Europe, what are your priorities?

Brigitte: Solvency II is certainly something which we have followed closely. We see that large insurers are very prudent. They are taking time to discuss risks, to do their scenarios. They are taking more time to make decisions. At the same time, I believe that the current process of consolidation in the insurance market is positive for risk managers. The risk carriers have become very powerful which is good for us because risks are becoming extreme. We are looking for insurers which can offer truly global programmes and are very powerful.
We are also aware that there are enormous implications for French enterprises in developments related to data privacy, the end of safe harbour provisions for data transfer and other cyber risks. I think the legal landscape for business in Europe has become more demanding for these issues, and there are others such as the use of drones, where companies are expected to anticipate more and not wait for the European Commission to act.

Jo: The consolidation in the insurance market reflects the development of industry generally, but the market is large and there aren’t monopolies. Among the large, global insurers, there are still sufficient for us to choose from, and the capacity is now enormous. I think this regrouping is also a good thing in terms of the quality of these large insurers and the expertise they can offer.

Brigitte: Insurance is a business of people. With mergers, there is an increase of capacity and expert capability, but there is a risk of losing expertise and knowledge if key people leave.

Jo: There is an advantage in the larger number and the wider skills of the people working in these companies. I think this consolidation reinforces the profession and deepens the knowledge available. They are already at a high level and will improve still further as mergers bring them together.

FERMA: Has Solvency II been a big issue in terms of captives for AMRAE members?

Brigitte: Yes and no. Everyone has done what they needed to do for Solvency II. It was primarily an administrative process. It did require work, and there were some difficult decisions to be made. It was most profound in terms of risk of underwriting, governance, and some corrections to elements of the accounts. But it was not an expensive exercise in terms of capitalisation.

Jo: It was no more difficult than it was for a commercial insurer, but it did make companies reflect before starting a new captive.

Brigitte: There is something interesting for industrial or commercial enterprises. You have a model of risk which is very operational. Then when you try to apply this approach to insuring the enterprise, it seems that sometimes the company’s idea of enterprise risk may not be the same as that of the insurers.

Jo Willaert, FERMA President and Agfa Gevaert Risk Manager

Jo: If you have applied Solvency II for your captive, then you have an insight into the insurers’ spirit of governance. Solvency II has had advantages for us all. Everyone who bears risk had to reflect.

Brigitte: This is been an evolution, not revolution. Whether or not to have a captive is a strategic decision, not one for an overnight decision. A captive is still a useful tool if you want to be more creative or imaginative in your risk transfer projects, but it requires consideration.

FERMA: Of two big risks, cyber and climate change, which do risk managers see as more of a concern?

Brigitte: Cyber. Without minimising the potential impact of climate change, even with risks such as more intense storms, there is still a continuity. These are risks which we already manage and ones for which insurers know how to find solutions. The mechanisms are in place and they are robust. Cyber is much more difficult because there are many possible loss scenarios, loss of data, denial of service attacks and so on, and they are continually changing. This is very challenging.

Jo: The mechanism of underwriting catastrophe risks is not different in nature to what it has been, although we have to adapt to the circumstances. With cyber-related risks, we have different types of exposure: first party and third party, liabilities and non-damage business interruption. More and more, the risks are interlinked. The underlying problem can be an IT one, but it comes with the problem of reputation, communication and crisis management, for instance. The great challenge for insurers is to overcome the restrictions of their traditional classes of underwriting, so that we can have contingent business interruption cover across different lines of business.

FERMA: What is your working relationship like with the insurance industry?

Brigitte: We want insurers to understand that they should be more creative in matching their solutions to the needs of their clients. We have to do this quickly because risk is going to increase very quickly. My desire is that everyone is motivated and takes this changing situation to heart. Insurers need to be aware that their image with boards has to be reinforced continuously.

Jo: Boards and top managers of companies only tend to come into contact with insurance when there is a problem, when they have a risk which isn’t covered. They don’t often see insurers as collaborators, but as vendors of policies. They are more inclined to see banks as collaborators, as partners, even though insurers came out of the financial crisis in much more robust shape than banks.

Brigitte: It is the job of the risk manager to tackle subjects which are taboo. We have to take those subjects and work on them. Risks evolve. If insurers’ products do not adapt accordingly, their image could suffer.

Jo: We believe recognition of the function of risk management is so important in this context because the profession knows what products are available and has creative ways to find other solutions. We have to be able to present them to the board, using the right language and setting them in the context of the business plans.